Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Microsoft has released a patch to resolve a security flaw in Office.
- The flaw could let a malicious file attachment infect your PC.
- Office 2016 and 2019 users must manually update the program.
Microsoft has issued an emergency patch designed to resolve a zero-day security vulnerability affecting several versions of Microsoft Office. Already exploited in the wild, the flaw could allow an attacker to skirt past Office’s built-in security measures and send victims a malicious document.
Zero-day vulnerability
In a note published Monday, Microsoft revealed details behind the flaw, known as a Microsoft Office Security Feature Bypass Vulnerability.
Also: Why you need Microsoft’s new emergency Windows patch – and the black-screen bug to watch for
Tagged as CVE-2026-21509, this vulnerability bypasses the OLE mitigations in Microsoft 365 and Microsoft Office. OLE (Object Linking and Embedding) lets Office link to or embed files, text, images, and other content from external applications. The OLE mitigations are supposed to prevent hackers from exploiting these controls to send malicious files and documents.
Attackers take advantage of such vulnerabilities to launch phishing campaigns in which you’re prompted to open a malicious file attachment. With the built-in security not working properly, the malicious code in the file can then easily infect your system.
Various versions of Microsoft 365 and Office are affected, including Microsoft Office 2016 (32-bit), Microsoft Office 2019 (32-bit and 64-bit), Microsoft 365 Apps for Enterprise (32-bit and 64-bit), Microsoft Office LTSC 2021 (32-bit and 64-bit), and Microsoft Office LTSC 2024 (32-bit and 64-bit).
How to get the patch
How you snag the patch depends on your version of Office.
If you’re running any edition of Office 2021 or later, you’ll automatically be protected through a server-side change, but you’ll have to restart Office for the patch to take effect.
Also: After setting up Windows 11, these 9 steps are non-negotiable for me
If you’re still on Office 2016 or 2019, you’ll need to manually install the patch. Microsoft didn’t explain how to do that, but you likely just need to update Office itself. To do so, open any Office application, select the File menu, and then click the Account setting. From the account page, click the Update Options button and select Update Now. Allow the latest update to download and install.
To make sure your version of Microsoft 365 or Office is protected against this flaw, go back to the account page and click the About button for whichever application you opened. Make sure the Build number at the top reads 16.0.10417.20095 or higher.
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)
